CYBERSECURITY AS AN ECONOMIC PROBLEM
Cybersecurity may refer to the technical, legal, and organizational measures directed at maintaining or enhancing the integrity and security of information assets. It can be assessed at the level of individuals, organizations, nations or cyberspace as a whole.
Many of the Internet’s technical and behavioral standards, conventions and norms emerge from decentralized repeated decisions of actors participating in it, ranging from component and hardware manufacturers to network operators, software vendors, application and service developers, content providers, and various users. These actors are heterogeneous and have different skill sets and motives. The architectural design adopted by Internet engineers created the specific socio-technical framework that constrains and enables these actors. While information security was initially not a pressing concern, the early choices that solidified the unique open design of the Internet inadvertently created later challenges of safeguarding cybersecurity (Lessig, 1999; Hofmann, 2010).The field of economics of information security studies factors that actors perceive as relevant for security decisions (‘incentives’), their influence on actions of individuals and organizations, and how these actions lead to emergent properties of the system. The early concepts and theories applied in the field originated from neo-classical microeconomics, and in particular the field of information economics. Economic sciences, however, constitute a wide discipline (Groenewegen, 2007; Colander, 2005). Concepts and theories from other fields, such as behavioral economics and new institutional economics, have also made their way into the economics of information security.
13.2.1 Public Goods, Externalities, Information Asymmetries and Property Rights
Cybersecurity has both private and public good characteristics: while investment in security protection entails private costs and benefits for the decision-maker, it may also benefit or harm other Internet actors.
These interdependencies are called ‘externalities’, formally defined as the direct effect of the activity of one actor on the welfare of another that is not compensated by a market transaction (Rosen, 2004). Externalities can be negative or positive. In both cases the price of the direct market transaction will not reflect the full social costs or benefits of the product or service, because the third-party effects are not taken into account by the transaction partners. Consequently, systematic deviations from an optimal allocation of resources occur even in an otherwise functioning market economy (Musgrave and Musgrave, 1973). Individual security measures may have positive and negative externalities, depending on whether attacks are targeted or non-targeted and whether the associated risk is interdependent or not (Kunreuther and Heal, 2003). There are several ways to correct for such externalities and ‘internalize’ them into decision-making. A traditional response is collective action by government or the participants in an exchange. In information markets that are multi-sided (‘platform’ markets), the platform intermediary may have incentives to internalize the externalities caused by others, to improve its business case and competitiveness. Such platforms can be seen as institutional arrangements to reduce transaction costs and address externalities (Rysman, 2009).Another key focus of the information security literature is the situation in which information is incomplete and unevenly distributed among actors, such as when buyers in a market do not have sufficient information to reliably separate between high-quality and low-quality products. For example, a subscriber looking to purchase Internet access may not be able to distinguish ISPs with strong security practices from those with lax ones. This makes buyers unwilling to pay a premium for the better product and consequently discourages suppliers from offering them - a situation dubbed a ‘market for lemons’ (Akerlof, 1970).
Information asymmetry afflicts many Internet services when it comes to security and privacy, where it is impossible to determine how secure a service is.Although rarely recognized explicitly in the literature, a fundamental economic problem at the heart of many information security issues may be the absence of clearly defined property rights in personal and other information (Branscomb, 1994). It is this absence that gives actors in the Internet more or less free reign to appropriate information from users and store large amounts of data. Moreover, it generates recurring challenges for the establishment of a clear legal definition of cybercrime.
13.2.2 Alignment of Incentives
Cybersecurity can be improved by introducing measures that align incentives of individual actors so that deviations between private and social costs and benefits are reduced. If successful, such strategies can reduce or even eliminate security-related market failures and deficiencies. Table 13.1 presents selected high-level options for aligning incentives among Internet actors. One can strengthen the incentives for security investment and other protective measures among defenders. One can also disincentivize attackers by increasing the costs or reducing the benefits of cybercrime and other malicious actions. Although the differentiation between defenders and attackers is sometimes muddied - government agencies with an interest in vulnerabilities to spy on others, white hat hackers who attack with the goal to improve defenses - the approach is useful in exploring principal options. In the next sections of this chapter we survey the security economics literature organized around these actors. We shall examine the incentives of each actor, their interactions with the ecosystem, and security issues that they create or resolve. Among the attackers, our focus will be on cybercriminals, economically motivated and by far the largest group.
Table 13.1 Improving cybersecurity by aligning incentives of actors
| Improving Cybersecurity | |
| Incentivizing defenders | Disincentivizing attackers |
| Who: | Who: |
| Software vendors | Criminals |
| End users and organizations | Hacktivists |
| Internet intermediaries | Nation states |
| How: | How: |
| Reducing information asymmetries | Improved law enforcement |
| Addressing negative externalities | Reducing benefits of crime |
| Education and capacity building | Disrupting criminal resources |
13.2.3 Approaches to Studying the Economics of Cybersecurity
The security economics literature can be categorized into analytical, empirical and experimental research.
Analytical studies employ methods such as game theory to deduce theoretically how actors behave in security dilemmas. Key variables, such as prices, regulation and the type of competitive interaction, are parameterized. Determining cooperative and non-cooperative equilibria of the game allows researchers to explore the conditions under which cybersecurity improves or deteriorates. As it may be difficult to derive solutions to games analytically, researchers also use computational and simulation methods to approximate outcomes. These methods offer interesting results but their practical use may be limited by the required simplifying assumptions. Results are often highly stylized and application to more complicated real world situations may need careful and cautious interpretation.Empirical studies start by collecting and observing actual cybersecurity behavior and performance. While many of the efforts are descriptive, additional insights may be gained by combining datasets of Internet measurements or surveys with data analysis to unveil how a market functions and how its actors behave. Empirical studies are a promising avenue but they also have their unique challenges, which include the dynamic nature of the phenomenon, insufficient or unreliable data, and problems of endogeneity that complicate establishing causality especially in cross-sectional comparative studies.
Experimental studies use lab or online experiments to test various hypotheses - with fewer assumptions and proxies than the other two methods. This raises challenges as to how generalizable the findings may be.
In subsequent sections of this chapter we look at all three categories of works. We focus mainly on the recent literature as it usually also relates to earlier work and point to classics and influential work in the field. We have chosen this approach to keep the material more manageable but also because much of the earlier research has been updated and extended in recent years. Moore and Anderson (2012) and Volume 3, Issue 1 of IEEE Security & Privacy, published in 2005 are earlier surveys of the field. For the purposes of this chapter, relevant literature has been drawn from papers presented at a number of leading security conferences, including the annual Workshop on the Economics of Information Security (WEIS), a detailed examination of journals where scholars of the field typically publish and through keyword search in other journals.1
13.3